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wmm 1. Introduction 

A conditional access (CA) system comprises a 
combination of scrambling and encryption to 
prevent unauthorized reception. Scrambling is the 
process of rendering the sound, pictures and data 
unintelligible. Encryption is the process of pro- 
tecting the secret keys that have to be transmitted 
with the scrambled signal in order for the 
descrambler to work. After descrambling, any 
defects on the sound and pictures should be 
imperceptible, i.e. the CA system should be trans- 
parent. 

The primary purpose of a CA system for broad- 
casting is to determine which individual receivers/ 
set-top decoders shall be able to deliver particular 
programme services, or individual programmes, to 
the viewers. The reasons why access may need to 
be restricted include: 



EBU Project Group B/CA has 
developed a functional model of a 
conditional access system for use 
with digital television broadcasts. It 
should be of benefit to EBU 
Members who intend to introduce 
encrypted digital broadcasts; by 
using this reference model, 
Members will be able to evaluate the 
different conditional access systems 
that are available. 

The model is not intended as a 
specification for a particular system. 
Rather, it provides a framework for 
defining the terms and operating 
principles of conditional access 
systems and it illustrates some of the 
conflicts and trade-offs that occur 
when designing such systems. 



to enforce payments by viewers who want a 
cess to particular programmes or programs 
services; 

to restrict access to a particular geographic 
area because of programme-rights considc 
ations (territorial control can be enforced il tf 
receiver has a built-in GPS system); 
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Glossary 



Access Control System/Conditional Access System: The 

complete system for ensuring that broadcasting services are 
only accessible to those who are entitled to receive them. 
The system usually consists of three main parts - signal 
scrambling, the encryption of the electronic "keys" needed by 
the viewer, and the subscriber management system which 
ensures that viewers entitled to watch the scrambled 
programmes are enabled to do so. 

Algorithm: A mathematical process (e.g. DES. RSA) which 
can be used for scrambling and descrambling a data stream. 

Bouquet: A collection of services marketed as a single 
entity. 

Conditional Access Sub-System (CASS): The part of the 
decoder which is concerned with decoding the electronic 
keys and recovering the information needed to control the 
descrambling sequence. It is now usually implemented, all or 
in part, as a smart card. 

Control Word: The key used in the descrambler. 

Descrambling: The process of undoing the scrambling to 
yield intelligible pictures, sound and/or data services. 

Electronic key: A general term for the data signals used to 
control the descrambling process in the decoders. There are 
several different levels of key. identifying the network which 
the subscriber is entitled to access, the services within that 
network that are available to the subscriber and the defied 
control information to operate the descrambler. The ECMs 
are one component of this "key" data; all levels must be 
correctly decrypted in order to view the programme. 

Encryption: The method of processing the continually- 
changing electronic keys needed to descramble the 
broadcast signals, so that they can be securely conveyed to 
the authorized users, either over-the-air or on smart cards. 

Entitlement Control Message (ECM): A cryptogram of the 
control word and the access conditions. An ECM is a 
specific component of the electronic key signal and 
over-the-air addressing information. The ECMs are used to 
control the descrambler and are transmitted over-air in 
encrypted form. 

Entitlement Management Message (EMM): A message 
authorizing a viewer to descramble a service. An EMM is a 
specific component of the electronic key signal and 
over-the-air addressing information. The EMMs are used to 
switch individual decoders, or groups of decoders, on or off 
and are transmitted over-air in encrypted form. 
Event: A grouping of elementary broadcast data streams 
with a defined start and time (e.g. an advert or a news flash). 

Impulse Pay-Per-View: Impulse Pay-Per-View requires no 
pre-booking. This rules out some Pay-Per-View methods 
(e.g. issuing smart cards for specific programmes). Smart 
card debit or electronic banking via telephone line, both 
support impulse Pay-Per-View. Over-the-air addressing can 
support impulse PPV. provided that the time taken to process 
the request is sufficiently smalt (this implies a relatively large 
capacity for over-the-air addressing data in the transmission 
channel. 

Multiplex: An assembly of all the digital data that is carrying 
one or more services within a single physical channel. 



Pay-Per-View (PPV): A payment system whereby the 
viewer can pay for individual programmes rather than take 
out a period subscription. Pay-Per-View can work by debtting 
electronic credit stored in a smart card, by purchasing smart 
cards issued for special programmes, or by electronic 
banking using a telephone line to carry debiting informat.on 
from the home to the bank. 

Period Subscription: The most popular payment system, in 
which the viewer subscribes to a programme service for a 
calendar period (e.g. one year). 

Piracy Unauthorized access to controlled programmes. 
Common methods of piracy include the issue of counterfeit 
smart cards and decoders which bypass all or part of the 
access control system. The use of video cassette recorders 
to record descrambled pictures for distribution among 
friends/colleagues is also a simple method of piracy. 

Programme: A television (or radio) presentation produced 
by programme providers for broadcasting as one of a 
sequence. A programme is a grouping of one or more events. 

Scrambling* The method of continually changing the form of 
the broadcast signal so that, without a suitable decoder and 
electronic key, the signal is unintelligible. 

Service' A sequence of events, programmes or data, based 
on a schedule, assembled by a service provider to be 
delivered to the viewer. 

SimulCrypt: A system for allowing scrambled picture/sound 
signals to be received by decoders using different access 
control systems. The principle of the system is that the 
different ECMs and EMMs needed for the various access 
control systems are sent over-air together. Any one decoder 
nicks out the information it needs and ignores the other 
codes It is analagous to providing multiple front doors to a 
large house, each with a different lock and its own door key. 
Smart Card: A device that looks rather like a credit card; it is 
used as a token of entitlement to descramble broadcast 
siqnals Most of the major European access control systems 
use smart cards. Other systems that bury the same 
functionality inside the decoder do not usually aHow the 
system to be changed to combat piracy or to add new 
services. Smart cards can be issued by the Subscriber 
Management System which can validate them by 
pre-programming them with keys to authorize access to 
Certain tiers of programmes and/or data service^ As part of 
the same issuing and validat.cn process, the card may 
personalised to make each one valid for one particular 
decoder only. 

Subscriber Authorization System (SAS): ™*™™l m 
responsible for organizing, sequenc.ng a ^Jf^l^Xer 
and ECM data streams under direction from the Suoscnoe 
Management System. 

Subscriber Management System (SMS): ™**Z»* 
centre which issues the smart cards. s ?"* ^"sSurce 
receives payments from subscribers. Ar nmpo rtanr res 
of the Subscriber Management System J a ^«abase o ^ 
inflation about the f^scnbers th « senal num they 
decoders and information about the ^™e s v is 
have subscribed. In commercial terms, this mtorm 
highly sensitive. 
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Figure 1 

Vertically-integrated 
CA system. 
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Figure 2 

Devolved CA system. 
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Figure 3 

Devolved/ shared/common 
CA system. 
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Programmes 
Entitlements to view 
Money, addresses and bills 
Money and addresses 



SMS= Subscriber Management System 
SAS - Subscriber Authorization System 
IRD = Integrated Receiver Oecoder 
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- to facilitate parental control (i.e. to restrict 
access to certain categories of programme -). 

c — i 2. Transactional models 

Transactional models can be used to illustrate the 
underlying commercial transactions that take 
place in a conditional access broadcasting system, 
in a way which is independent of the technology 
employed. A similar analogy is sometimes used 
for the sale of goods to the public through retail and 
wholesale chains: in that situation, there is a flow 
of goods and services in one direction - from the 
manufacturers to the end customers - and a flow of 
money in the reverse direction. 

A model of a vertically-integrated CA system is 
shown in Fig. /. Here, the service provider is also 
the network operator and the CA system operator 
Historically. CA systems originated in this form 
and the model remains true for many cable 
systems today: the cable operator acts as the ser- 
vice provider (usually by purchasing the rights to 
show programmes made by third parties) and also 
as the carrier and the CA system operator. In such 
circumstances, and especially where - as in most 
cable systems - the cable operator supplies and 
owns the decoders, a single proprietary system is 
acceptable, because there is no requirement to 
share any part of the system with competitors. 

A model of a devolved CA system is shown in 
Fig. 2. In this case, the functions of the service 
provider, network operator and CA system 
operator are split. Indeed, there are two separate 
service providers, A and B. who share a common 
delivery system (owned arid operated by a third 
party) and a common CA system which is owned 
and operated by a different third party. Thus all 
billing and collection of money is carried out by 
the CA system operator who then passes on pay- 
ments in respect of programme rights back to the 
appropriate service providers. This model is true 
for many analogue satellite systems today and 
also applies to a retail market in which there is 
only one retailer. Note how the CA system opera- 
tor has information about the names, addresses 
and entitlement status of all viewers: programme 
providers, on the other hand, have access only to 



2. This is generally ;i Service In formal ion (SI ) function. 
However, regulators mighl specify thai programmes 
should rx* scrambled where parental control is required. 
In current analogue systems, parenial control often uses 
the CA system. 



the names, addresses and entitlement status of 
viewers to their own services. 

An alternative model of a devolved CA system is 
shown in Fig. 3. Here, there are two independent 
CA Subscriber Authorization System (S AS) oper- 
ators. I and J (see Section 5 J.). System J is used 
by service provider C only, whereas system I is 
used by all three service providers. Conversely, 
service providers A and B use system I only, 
whereas service provider C uses systems I and J. 
Thus, viewers to the services provided by C can 
use a decoder which is appropriate for either 
system I or J. A further feature of this model is that 
the billing and the money flow is directly between 
the viewers and the Subscriber Management 
System (SMS) operators (see Section 5 J.): it does 
not pass via the S AS operators or the transmission 
system operators. Consequently, sensitive in- 
formation about the names and addresses of sub- 
scribers is known only to the appropriate service 
provider. 

c=j 3. Functional model o f a CA 
reference system 

A functional model of a hypothetical CA reference 
system is now described. The model is loosely 
based on the Eitrocrypt conditional access system 
but its principles of operation are expected to apply 
to CA systems generally. 

a 3.1. Conditional Access 
Sub-System 

A Conditional Access Sub-System (CASS) is a 
detachable security module which is used as part 
of the CA system in a receiver. It is also possible 
to embed the security module in the receiver itself, 
in which case each receiver will typically have its 
own secret individual address. Replacement of the 
CASS is one means of recovering from a piracy at- 
tack. Replacement of the CASS also enables new 
features to be added to the system as and when they 
are developed. 

For analogue systems and some digital systems, 
the CASSIS typically a smart card \ 1 1. For digital 
systems which use the Common Interface (see 
Section 3.6. ). the CASS will be a PCMCIA 3 mod- 
ule and this may have an associated sman card. 

3. Personal Computer Manufacturers Computer Interface 
Association. 
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■i 3.2. Scrambling and descrambling 

The basic process of scrambling and descrambling 
the broadcast MPEG-2 transport stream [2] is 
shown in Fig. 4. The European DVB Project has 
defined a suitable, highly-secure, Common 
Scrambling Algorithm. 

■ 3.3. Entitlement Control Messages 

The generation, transmission and application of 
Entitlement Control Messages (ECMs) - which 



are used to recover the descrambling control word 
in the decoder - is illustrated in Fig. 5. The ECMs 
are combined with a service key,and the result \> 
decrypted to produce a control word. At present, 
the control word is typically 60 bits long and is up- 
dated every 2- 10 seconds. 

If the access conditions are to be changed at a pro- 
gramme boundary, it may be necessary to update 
the access conditions every frame, which is mucr 
more frequently than is required for securit\ 
reasons. Alternatively, a change in access condi 



Figure 4 

Basic scrambling system. 
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Figure 5 

Scrambling system with 
Encrypted Control Words. 
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tions could be made frame-specific by sending out 
a change in entitlements in advance and then insti- 
gating the change with a flag. A third method 
would be to change the control word itself at a 
programme boundary. However, the second and 
third approaches would not allow a programme 
producer to change the access conditions instanta- 
neously. 

■ 3.4. Entitlement Management 
Messages 

The generation, transmission, and application of 
Entitlement Management Messages (EMMs) by 
the Subscriber Authorization System is illustrated 
in Fig 6. 

The card supplier provides the CASS (usually a 
smart card) and then the SAS sends the EMMs 



over-air or by another route, e.g. via a telephone 
line. To retain the confidentiality of customer in- 
formation, it is best that the card supplier delivers 
the smart cards direct to the Subscriber Manage- 
ment System (or another business centre which 
guarantees confidentiality) for mailing to the 
viewer (see Section J.5.). 

It is possible to supply the cards through retail out- 
lets as well, provided the retailer can guarantee 
confidentiality. In this situation, considerable care 
has to be taken if the cards have been pre- 
authorized by the SAS, because such cards will be 
a worthwhile target for theft. 

When using the CA Common Interface [3], incon- 
juction with a PCMCIA module acting as the 
CASS, the descrambler is also situated in the 
CASS. 



Figure 6 
Scrambling system with 
encrypted Control Words and 
Entitlement Management 
Messages. 
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m 3.5. Subscriber Management 
System 

As shown in Fig 7.. the reference model is com- 
pleted by the addition of a Subscriber Management 
System (SMS), which deals with the billing of 
viewers and the collection of their payments. The 
control word need not be a decrypted ECM; it can 
be generated locally (e.g. from a seed) which 
means that the control word could be changed very 
quickly. 

■i 3.5. Common Interface 

The European DVB Project has designed a 
Common Interlace for use between the Integrated 
Receiver Decoder (IRD) and the CA system. As 
shown in Fig. 3. the IRD contains only those ele- 
ments that are needed to receive clear broadcasts. 



The CA system is contained in a low-priced, pro- 
prietary module which communicates with the 
IRD via the Common Interface. No secret condi- 
tional access data passes across the interface. 

The Common Interface allows broadcasters to use 
CA modules which contain solutions from differ- 
ent suppliers, thus increasing their choice and ant t- 
piracy options. 

hi 4. General requirements of a 
CA system 

To be acceptable for use by EBU members, a 
conditional access system needs to meet the fol- 
lowing general requirements, some of which con- 
flict. 



Figure 7 

Scrambling system with 
encrypted Control Words, 
Entitlement Management 
Messages and Subscriber 
Management System. 
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DVB Common 
Interface. 



■ 4.1. Convenience for viewers 

The CA system should impose a minimum of bur- 
den on the authorized viewer at any stage in the 
transaction. In particular it should not require 
special action when changing channels (e.g. 
swapping a smart card or keying in a Personal 
Identification Number) norshould it significantly 
delay presentation of picture and sound when 
"zapping" (a sensible upper limit on the "zap- 
ping" time is I second). 

Furthermore, it should be easy to gain initial ac- 
cess to the broadcasts, requiring the minimum of 
equipment, outlay and effort. Ideally, the com- 
plete system would be integrated into the televi- 
sion set which would be able to access any com- 



bination of programme services to which 
individual viewers had subscribed. 

It should be easy for the viewer to pay the neces- 
sary fees to the programme supplier. Payment 
methods should include all forms of monetary 
transaction including cash, direct debits and credit 
cards. The viewer might prefer to receive a single 
bill for any combination of services provided over 
a period of time. It may therefore be desirable, but 
not a necessity, for different CA system operators 
to share the use of smart cards. 

■ 4.2. Security 

The CA system must be effective in preventing 
piracy, i.e. unauthorized viewing by people who are 
not entitled to access particular programmes or ser- 
vices. Although no CA technology can deliver per- 
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feet security, the overall system - combined with 
appropriate anti-piracy legislation and evasion- 
deterrent measures - must make piracy sufficiently 
difficult and/or uneconomic that the levels of 
evasion are kept small. Smart cards or payment 
cards must be resistant to tampering. For Pay-Per- 
View services in particular, the counting mecha- 
nism which indicates the remaining credit should be 
immune to resetting by unauthorized parties. 

It is very important that the relationship between 
the service provider and the CA system operator is 
well defined so that, for example, a CA system 
operator can be compelled to act when piracy 
reaches a certain level. There are a number of ways 
to recover from a piracy attack. It is possible to 
initiate electronic counter measures over-air. 
whereby pirate cards are disabled or subtle changes 
are made in the operation of genuine CASSs. Alter- 
natively, by issuing new C ASSs, large changes can 
be made to the conditional access system. 

■ 4.3. Open marketing of digital 
receivers 

The viewers should be able to benefit from a large 
choice of digital receivers or set-top boxes, 
produced by a wide range of manufacturers com- 
peting in an open market. Such an open market 
ideally requires that the complete digital broad- 
casting system, excluding the CA system, be fully 
described in open standards which are fully pub- 
lished by the appropriate organization (e.g. the 
ETSI 4 or the ISO 5 ). The terms of licensing any 
Intellectual Property Rights (IPR) included with- 
in a standard must be regulated by the appropriate 
standards organization. (For example, in the case 
of an ETSI standard, licensing is open to all 
manufacturers on an equitable basis.) 

It is undesirable for the CA system to be standard- 
ized: instead, the flexibility offered by the DVB 
Common Interface should ensure that a plurality of 
CA systems may be adopted (see Section 3.6.). 

m* 4.4. Open marketing of programme 
services 

Authorized programme services should be acces- 
sible to any viewer whose IRD conforms to the 
relevant standard and who has the relevant CA en- 
titlements issued solely under the control ot the 
service provider. It must also be ensured that all 



4. European Telecommunications SuinitonK InMitute. 

5. International Organisation tor SunJardisjiion. 



approved service providers have lair access to a 
suitable delivery system. 

h 4.5. Autonomy of the service 
provider's business 

The primary contract should be between the ser- 
vice provider and the viewer. Although third panics 
(such as common carriers and/or CA system opera- 
tors) may necessarily be involved in the broadcast - 
ins process, the CA system (and any other pan of 
the system) should not require the service provider 
to share commercially-sensitive information with 
rival service providers, e.g. the identities of cus- 
tomers and their entitlements to view. 

hi 4.6. Low entry and operating costs 

The cost of setting up and operating the CA system 
is significant but must not be prohibitive. In particu- 
lar, it should be capable of being scaled to allow low 
start-up costs when the subscriber base is very small 

The system should not pose a constraint on the ulti- 
mate number of households that can be addressed, 
this could reach many tens of millions. The cost> 
of upgrades to the CA system and of recovering 
from security breaches should be minimized by 
selecting a reliable and secure system. 

»h 5. Functional requirements of 
a CA system 

m 5. 1. Payment schemes 

It is important that the CA system supports a wid<. 
range of charging and payment schemes. 

These include: 

- Subscription fprc-paymeni for a time period o 
viewing); 

- Pen-Per-View (payment for a programme o 
group of programmes); 

- impulse Pay-Per-View (payment for a pro 
iiramme or group of programmes withou 
advance notice). 

Pay-Per-View (PPV) and Impulse Pay-Per-Vie% 
(IPPV) often require the provision of a return pat 
from the viewer to the CA system operator: i 
many systems this is implemented using a tck 
phone connection and a modem built into th 
IRD. The return path can be used to record view 
ing history, which is important when considenn 
the programme rights issues. 

The acceptability and rules of operation for such 
telephone return-path need further study. In par 
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ticular. a system must exist for those viewers who 
do not have a telephone connection. One possible 
method would be to purchase credits in advance 
and to store them as viewing tokens on a smart card 
or CA module. The card or module could be re- 
authorized at a trusted dealer when information on 
past viewing could be transferred to the system 
operator. Provided security was not compromised, 
it would also be possible to have the smart card or 
module credited over-air with tokens which could 
be initiated by a telephoned (voice) request from 
the viewer. There must be a method to ensure that 
all service providers are paid fairly for the pro- 
grammes provided, in proportion to the total num- 
ber of viewer hours. 

■ 5.2. Multiple-decoder households 

The question must be addressed as to whether pay- 
ment authorizes: 

1. the use of only one decoder to receive and 
decode the services; 

2. use throughout a household, which may have 
multiple receivers/decoders and a VCR; 

3. use by one individual anywhere within a house- 
hold, in which case the entitlement needs to be 
transferable from one IRD to another, probably 
using a detachable security element such as a 
smart card. 

In the third case given above, there is a conflict 
with the requirement to validate the security de- 
vice for use with a particular decoder only. There- 
fore, each decoder should have its own CASS and 
the records of multiple CASSs within a household 
should be grouped together in the SMS to permit 
appropriate and reasonable billing. 

■i 5.3. Sharing of the CA system 

In order to provide a fair and open market for CA 
broadcasts to develop, it is important that elements 
of the CA system can be shared. These include the 
following. 

■ 5,3.1. Receivers/decoders 

One generic receiver/decoder should be capable 
of receiving and decoding CA broadcasts from a 
number of different broadcasters, perhaps using 
different delivery media (e.g. cable, satellite, ter- 
restrial). This may imply that the decoder can sup- 
port simultaneous use of multiple security devices, 
or that one security device can be shared between 
different service providers. In the latter case, the 
security device needs to be partitioned into inde- 



pendent zones so that operators have access to 
write to and read from only those zones which con- 
tain information about entitlements to view their 
own services. Where operators share a security 
device, it is important to resolve who issues and, 
more importantly, who re-issues the security de- 
vice - especially in the case of a breach of security 
requiring a change of security device. 

A particularly important and difficult requirement 
which arises from the need to share decoders is that 
of allowing the IRD to be tuned to broadcasts 
which do not necessarily carry the same over-air 
entitlement messages. It is worthwhile monitoring 
as many EMM data streams as possible, even when 
the receiver is in standby mode. 

In some instances ( for example, message broadcast- 
ing), it is necessary for the broadcaster to be able to 
address large numbers of decoders in a short period 
of time. In these situations, it is worth using shared 
keys to reduce the access time for large audiences. 
The audience is subdivided into groups of viewers; 
each person within a particular group has the same 
shared key which forms a pan of the overall control 
word. Also, different messages intended for the 
same viewer can be combined together. 

■ 5.3.2. Delivery system 

It is obvious that any one delivery medium (e.g. 
cable network, satellite transponder or terrestrial 
broadcast channel) should be capable of being 
shared between different and perhaps rival broad- 
casters. Less obvious, but perhaps equally impor- 
tant, is that any one transport stream should be 
capable of being decoded by different types of de- 
coder, so that one broadcast can simultaneously 
use different kinds of CA system. This is the 
SimulCrypt concept (see Section 7.I.I.). 

■ 5.3.3. CA Systems 

When considering the sharing of CA systems at 
the sending end. it is important to be able to divide 
the system into two separate functional elements: 

a) Subscriber Management System (SMS) 

The SMS is primarily responsible for sending 
out bills and receiving payments from viewers. 
It does not need to, and should not, be specific 
to a particular C A system. The SMS necessarily 
holds commercially-sensitive information such 
as the database of subscribers names and ad- 
dresses and their entitlement status. Sharing o\ 
the SMS between rival broadcasters is possible 
if and only if. it is operated by a trusted third 
party and only if adequate -firewalls" are pro- 
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vided so that any one service provider can ac- 
cess information only aboui subscribers lo his 
or her own services. Although sharing an SMS 
may be seen as undesirable, it must be recog- 
nised that setting up and running an SMS is ex- 
pensive, perhaps prohibitively so tor services 
with a small number of subscribers at the outset. 

The work of the SMS can be contracted out to 
a trusted third parry (TTP). e.g. a secure and 
reliable organization such as a bank. There 
should be a subscriber database and the system 
must deal with changes to subscription details, 
installation difficulties, marketing, billing and 
card distribution. The SMS also manages the 
system installers and sends Entitlement Man- 
agement Messages (to authorize viewers) to the 
Subscriber Authorization System queue. 

To ensure the privacy of customer database 
information, the SMS could mail replacement 
smart cards and CA modules to the viewers. 
These could be provided pre-authorized by the 
conditional access system operator or could be 
authorized over-air by the Subscriber Autho- 
rization System using virtual addresses pro- 
vided by the SMS. 

At the moment, cable companies often send out 
a tape of customer usage to another company, at 
the end of the month, for billing. 

b) Subscriber Authorization System 

The Subscriber Authorization System (S AS) is 
primarily responsible for sending out the over- 
air entitlement messages and for validating 
security dev ices. The S AS needs a unique serial 
number (address) for each IRD security device 
but should not need access to commercially- 
sensitive information such as the names and 
addresses of subscribers. Hence it should be 
easily possible for rival broadcasters to share an 
SAS, although there are issues to be resolved 
concerning une queuing times for messages. 
Smart cards can be indirectly authorized over- 
air by the SAS. 

The SAS generates a scrambler control word, 
encrypts the conditional access data, queues 
and prioritises the Entitlement Management 
Messages from the Subscriber Management 
System, and scrambles the pictures and sound. 
New messages from the SMS join the immedi- 
ate queue, to be transmitted as soon as possible, 
and also join a regular cyclic queue where they 
stay until they expire. The frequency of trans- 
mission depends on the length of the queue and 
messages are expired by category. There will be 
a maximum limit on response time beyond 



which the system will not be usable. Disable 
messages may have an indefinite lifetime 
whereas enable messages may have a lifetime 
of a month or so. For security reasons, commu- 
nication between the SMS and the SAS can be 
encrypted although this may not be necessary if 
all svstems are in a secure environment. 

□ 5.4. Transcontroi at media 
boundaries 

It will often be the case that a broadcast signal may 
travel via two or more different delivery media in 
tandem; for example the broadcast may be carried 
on a satellite and then conveyed into some homes 
via a cable system. In such cases it is often desir- 
able to change the entitlement control at the media 
boundary without needing to descramble and re- 
scramblecompletely. (This is possible with the use 
of the Common Scrambling Algorithm.) Howev- 
er, this method may present a security risk because 
one CA system operator would have to present the 
control word to another CA system operator inside 
the transcontroi equipment. 

In practice it may be more secure (though more 
expensive) to descramble and rescramble at the 
media boundary. Descramblers and rescramblers 
from different CA system manufacturers could 
potentially be built into different PCMCIA modules. 

Changing the entitlement control at the media 
boundary" enables the end-transmission-system- 
operators to maintain direct control over each ot 
their subscribers for all services provided. This 
means that the viewer only has to operate the CA 
system used by the end-transmission-system- 
operator. However, this approach also means that 
the service providers and the other transmission- 
system-operators that have supplied services to the 
end-transmission-system-operatorcannot have di- 
rect and exclusive interaction with the subscribers. 

Another approach would be to have no transcon- 
troi at media boundaries. The viewer would have 
access to all services using either the S.mulCrypt 
or MultiCrvpt approaches. This has the disadvan- 
tage to the end-transm.ssion-system-operator that 
aUcontroi is handed over to the original CAsystem 
operator and it therefore requires a good working 
relationship between all parties. 



ess 6. Operational requirements 
of a CA system 

For security reasons it is important to include at 
least the following functions in a CA system: 
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Disable/enable decoder 

Individual decoders or groups of decoders are 
prevented from descrambling any service, re- 
gardless of the authorizations stored in the 
smart card or other security device. 

Disable/enable card 

Individual smart cards, or groups of smart cards 
(or other security devices), need to be capable 
of being enabled or disabled over-air. 

Disable/enable programme service 

Individual smart cards, or groups of smart 
cards, need to be capable of being enabled or 
disabled over-air to decode any one particular 
programme service. 

Send message to decoder 

A text message is sent to individual decoders or 
groups of decoders for display on the screen; 
alternatively, the over-air message may com- 
prise a display command and address of a mes- 
sage which is pre-stored in the decoder or smart 
card, e.g. to warn of imminent expiry or to 
request the viewer to contact the SMS because 
of account difficulties. 

- Send message to decoder for individual 
programme service 

A text message is sent to individual decoders or 
groups of decoders in the same way as above, 
but is displayed only when the receiver/decoder 
selects the relevant programme service. 

- Show customer s ID card 

The serial number of the smart card, or other 
means of identification (ID), is displayed on the 
screen. This is not the secret ID contained with- 
in the card, but is an unprotected ID which 
could be printed on the card. This function is 
useful for maintenance procedures. 

- Alter switching and drop-dead dates 

An important security feature is that the algo- 
rithms used to decrypt the over-air entitlement 
messages and derive the descrambling control 
words can be changed. To allow smooth transi- 
tion from one set of algorithms to the next, it is 
helpfut if the smart card (or other security de- 
vice) can store both algorithms and a date for 
switching from one to the other; this switching 
date can be alterable over-air. There should also 
be a "drop dead" date beyond which the card will 
cease to function at all. Note that not all CA sys- 
tems perform these functions in this way and the 
implementation may be very system-dependent. 



mm 7. System implementation 
m 71. Satellite transmission 

The DVB Project has given its backing to two CA 
approaches for the transmission of digital televi- 
sion via satellite, namely SimulCrypt and Multi- 
Crypt. These approaches are also relevant in cable 
and terrestrial transmission. 

■ 7.1.1. SimulCrypt 

In the case of SimulCrypt, each service is trans- 
mitted with the entitlement messages for a number 
of different proprietary systems, so that decoders 
using different conditional access systems (in dif- 
ferent geographic areas) can decode the service. 
SimulCrypt requires a common framework for 
signalling the different Entitlement Message 
streams. Access to the system is controlled by the 
system operators. Operation of the system re- 
quires commercial negotiations between broad- 
casters and conditional access operators. A code 
of conduct has been drawn up for the operation of 
SimulCrypt. 

The philosophy behind the system is that in one 
geographical area, it will only be necessary to 
have a single smart card or C A module and a single 
decoder to receive the local service. If one wanted 
to descramble the service of a neighbouring area, 
one could subscribe to. and use the smart card/ 
module for that service. Consequently, it is only 
necessary to have a single Subscriber Management 
System for a given area. When a viewer wants to 
watch services from two neighbouring areas, it is 
necessary for both services to carry the entitlement 
messages for that viewer. Therefore it is necessary 
to have secure links between the different Sub- 
scriber Management Systems of the different 
operators to allow transfer of the entitlement mes- 
sages between operators. 

■ 7.1.2. MultiCrypt 

MultiCrypt is an open system which allows com- 
petition between conditional access system pro- 
viders and Subscriber Management System opera- 
tors. MultiCrypt uses common receiver/decoder 
elements which could be built into television sets. 
The Common Conditional Access Interface can be 
used to implement MultiCrypt. Conditional ac- 
cess modules from different system operators can 
be plugged into different slots in the common 
receiver/decoder, using the common interface. 

■ 7.2. Return path 

For most home installations, a return path could be 
set up between the set-top decoder and the Sub- 
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scriber Management System using a modem and 
the telephone network or a cable TV return. For 
example, calls could be initiated by the customer 
usine a remote control unit which auto-dials a 
number delivered over-air. Also, the broadcaster 
mav want the customer's decoder box to contact 
theSMS. This process could be initiated by com- 
mands sent over-air or (less likely) the SMS could 
dial up the customer's decoder box and interro- 
gate it directly. 



return path could also be used to check that the 
decoder is tuned to the correct channel when 
2 jvi n o authorization over-air. This could re- 
duce The number of over-air signals that had to 
be repealed perpetually. 

□ 7.2.2. Reasons for not using a return 
path 

There are also a number of reasons for not using a 
return path, as follows: 



72. 1 . Reasons for using a return path a) increased decoder cost; 

b) Installation difficulties; 



There are a number of reasons for using a return 
path: 

a) Enhanced security; 

The return path establishes a one-to-one link 
between the broadcaster and each decoder box. 
Communication via the return path should be 
encrypted. 

b) Payment billing; 

Pre-booked Pay-Per-View (PPV) and impulse 
PPV could be registered using the return path. 
Also, electronic viewing tokens could be pur- 
chased via the return path. A central server with 
a gateway would be necessary as a buffer for the 
large numbers of requests that would be ex- 
pected as part of a Pay-Per-View service. These 
payment billing services could also be obtained 
by the viewer dialling up the SMS using his con- 
ventional telephone and having a conversation 
with an operator at the SMS. However this ap- 
proach would be more time-consuming and 
costly to both the viewer and the SMS. 

c) interactive TV; 

The return path could be used for audience par- 
ticipation (for example voting, games playing, 
teleshoppmgandtelebanking). The return path 
could also be used for message delivery from 
the SMS to the decoder, although its limited 
bandwidth means that it is not very suitable for 
more complicated procedures such as Video- 
On-Demand ( VOD). The return path could be 
used to deliver to the SMS diagnostic informa- 
tion such as measurements of signal strength 
and bit error rate ( BER) to help solve transmis- 
sion problems, and other information such as a 
record of programmes watched to provide sta- 
tistical information to the broadcaster, 

d) Transmission of entitlement messages. 

For large shared networks, the capacity for 
transmission of entitlement messages may be 
inadequate and additional capacity may be 
achieved by using the telephone network. The 



The customer may not have a telephone at all, or 
may not have a telephone in the relevant room t in 
which case an extension socket would have to be 
fitted or a "cordless" connection would have to 
be used which would increase costs). 

c) Reliabiliry of the telephone; 

In some areas, the reliability of the telephone 
service may be an issue. 

d) Blocking of normal calls; 

When the decoder is communicating, it will not 
be possible to make or receive normal telephone 
calls, unless there is more than one telephone 
line to the house. 

e) Telephone tapping. 

Depending on how the communication system 
works, there is a potential for reduced system 
security due to telephone tapping. Ideally, tc 
overcome this problem, it is recommended thai 
the Subscriber Management System should re 
turn the calls made by the IRD (although thi> 
will increase the costs to the SMS), the commit 
nication should be encrypted, and the Subscrib 
er Management System should be able to identi 
fy individual IRDs. 

Overall, the benefits of using a return path far ex 
ceed the costs. In situations where the return pat! 
does not exist but alternative facilities exist for per 
forming some of its functions, decoders should b 
manufactured which are capable of implement 
the return path. Cheaper decoders could be sol 
which do not have this option installed. 

m 7.3. Home video recorders 

If (he viewer wants to watch one programme whii 
recording another, then decisions will have to r 
made about the payment approach for the scrvio 
When usine the Common Interface of the CA w 
tern, it should be possible to descramble two chai 
nels on the same multiplex (one to watch and th 
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other to record), using one PCMCIA module. To 
descrambie two channels on different multiplexes, 
one would need two PCMCIA modules, two tuners 
and two MPEG-2 decoders. 

One approach would be to view the descrambled 
picture from one channel and to record the 
scrambled picture from another channel. The re- 
corded picture could then be descrambled at view- 
ing time and the appropriate charges could be made 
in a Pay-Per-View system. Copy protection could 
be sec for the digital recording. However, if the 
DVTR does not record the encrypted data 
associated with scrambling or. if the encryption 
mechanism would prevent successful descram- 
bling at the later replay time, it would be possible 
to record an altered, but fixed, key. On replay, the 
picture could be descrambled using the fixed key. 
which would be specific to a particular recorder. 
This would help to ensure copyright protection by 
preventing a scrambled picture on a tape from one 
video recorder being descrambled by another 
video recorder. 

Two descramblers could be used to permit the des- 
crambling and recording of one programme whilst 
watching another. This has the disadvantage of 
added cost and complexity. Copy protection 
should be set for the original digital recording to 
hinder further digital recordings being made. 

The question then arises as to whether to locate the 
second conditional access module in the IRD or in 
the video recorder. There are arguments in favour 
of both options and there is no need to standardize 
on one approach. In the end, the decision will be 
made by decoder and video recorder manufactur- 
ers. When costs fall sufficiently, it is likely that 
top-of-the-range IRDs and video recorders will 
have descramblers installed. (If the initial costs of 
digital video recorders are very high, it may also be 
possible to buy analogue video recorders with 
built-in descramblers). 

The second descrambler/conditional access mod- 
ule could be installed either in the existing IRD 
box. or in the VCR. There are arguments in favour 
of both approaches: 

I ft the existing IRD box 

a) Having two complete descramblers in the IRD 
box, rather than one in the IRD box and one in 
the video recorder, would reduce the cost and 
complexity of the overall system but only by a 
relatively small amount; 



b) The second descrambler could also be used 
if the viewer only owned an analogue video 
recorder. 

In the video recorder 

a) The video recorder could be used on its own, 
without the need for a separate IRD box to 
record programmes; 

b) Any number of video recorders could be used 
without the need for multiple IRD boxes. 

To reduce costs, the second descrambler could 
initially be available as an optional add-on to the 
IRD box. 

■■■ 8. Conclusions and 
recommendations 

A basic set of transactional and functional models 
of CA systems for use with digital video broadcast- 
ing systems has been outlined. These models are 
intended to help EBU Members to understand and 
evaluate practical CA systems for use with future 
DVB services and, in particular, to understand the 
functionality, technical terms, and trade-offs in 
these systems. The specification or evaluation of 
a practical CA system requires considerably more 
depth and detail than could be included in this out- 
line. In particular, an evaluation of security issues 
requires a careful analysis of the overall system 
security, including non-technical issues such as the 
theft of data. 
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